GDPR and Data Breaches
It’s a fact there are bad guys that make it their mission to hack into your company’s website and network to find vulnerabilities. Many businesses have already fallen victim to hackers and the majority of all businesses are concerned that they may be breached. If the breach includes sensitive customer data it can have a significant negative impact on companies which includes reputational damage and loss in their customers confidence that their data is secure.
What are GDPR’s Data Breach guidelines?
GDPR addresses data breaches in Article 33. If a personal data breach has been detected organizations have 72 hours to inform the appropriate supervisory authority (regulators) of the incident. If there is a delay the organization must explain why there was a delay of notification. The notification should include details such as the nature of the breach, steps that have been taken to identify what personal data was accessed and the estimated consequences of the breach. The notification should also include the actions that the organization has taken or will take to minimize the effects of the breach and prevent additional breaches.
The information needed to support this requirement comes in the form of a forensic report, conducted either internally, or by third-party expert support. The forensic report is what the investigators provide and helps organizations understand how the attack happened, what vulnerabilities were exploited, what data was compromised, etc. By continuously and effectively monitoring and logging all data access, organizations can better understand the specifics of what was compromised, by whom, and how in a much quicker fashion; thereby shortening investigation time and compliance with the 72-hour requirement.
The contact details of the Data Protection Officer (DPO) should also be communicated. If for any reason the organization doesn’t have complete information about the breach in the expected time, then the organization should provide the information that’s been collected and communicate additional information as it is obtained. The breach and all related information should be documented for compliance reasons.
What’s the Breach Notification Challenge?
GDPR data breach notification is challenging because 72 hours is a very short reporting window. Organizations need to develop a governance framework to meet the challenge of completing a thorough investigation and notifying the supervisory authorities within 72 hours. Companies that are unprepared will find it difficult to comply to the guideline. Even with appropriate planning, it may be an overwhelming undertaking for organizations to understand how the breach happened, identify who’s affected, what vulnerabilities were exploited, what data was compromised, determine how to resolve the situation and keep day-to-day operations running.
Organizations also need to identify the appropriate supervisory authority(s) to notify. The breach notification requirements vary by country. It’s important to know in advance the various breach notification requirements of various countries. This may include reporting using specific online portals or forms and reporting in the supervisory authority(s) native language.
What can companies do to protect themselves from breaches?
There isn’t a 100% way to avoid data breaches, the following is a list of things to consider that will assist your company to reduce its exposure to data breaches:
- Reduce the volume of personal data that your organization needs to store and protect. Don’t collect personal data that you don’t need.
- Employ a cyber threat hunter to test your organizations websites and networks for weaknesses. Threat Hunters can help you stay ahead of the latest security threats and proactively mitigate exposure from hackers.
- Complete regular breach response drills to test the governance framework that you’ve implemented.
- Update your data security and breach processes and policies on a regular basis and ensure all employees are trained.
- Ensure all security patches, firewalls, anti-virus, anti-spyware are up-to-date.
- Secure all computers with appropriate password protection (use of strong passwords, changing passwords on a regular basis, multi-factor authentication) and time-out requirements.
- Monitor your databases to identify unauthorized or suspicious data access.
Are you having challenges implementing GDPR? Crayon has the GDPR services that can assist you to work towards GDPR compliance. Contact your Crayon Account Manager or contact at email@example.com
Contact your Crayon Account Manager or contact at firstname.lastname@example.org.